Inside the black market 'bug trade'

Better code the only ammunition against black market software vulnerabilities

"We always recommend users to have a firewall, because it puts a barrier in between a weakness and the rest of the world," he said. "But your firewall is made of software and even that can have vulnerability on it.

Rice claimed that while the total number of attacks and vulnerabilities is actually on the decline, the most critical, zero-day bugs are rising dramatically. He said the fact that software manufacturing processes has largely stayed the same in recent years might be contributing to the problem.

"Plus, hackers are developing extremely good software development practices for their malware," he added.

Rice also said that while the adoption of software engineering best practice guidelines, such as Capability Maturity Model Integration (CMMI), is helpful, most companies don't have much incentive to continue to the highest levels of the program.

"Getting to a CMMI Level 5 can be very tedious and expensive," Rice said. "Until it becomes more expensive to not be at Level 5, there will be no incentive to get to that level."

And one look at the prices these vulnerabilities are going for on the black market, he said, is a testament to the size of these online criminal syndicates and the challenges they pose to software developers.

"A recent Internet Explorer exploit was priced at US$100,000, while some bugs have even reached upwards of US$250,000. Some of these cyber lords even have better research facilities than Symantec and McAfee right now."

Working to combat the bug trade are companies like iDefense Labs and TippingPoint Technologies, which often purchase vulnerabilities off the black market in order to help companies against potential attacks.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about GartneriDefenseMcAfee AustraliaMozillaOpen MarketPLUSSymantecTippingPointTippingPointWebrootWebroot Software

Show Comments